Banking Trojan Trend Hits Japan Hard

In its recent report, National Police Agency mentioned that the current estimated total cost of unauthorized transactions suffered by Japanese users reached 1.417 billion yen during the period of January-May 2014. In comparison the estimated total damage cost from these kinds of threats was 1.406 billion yen in 2013.

Data released by Japanese Bankers Association also gives similar alarming statistics: 21 cases of online banking theft occurred in Q1 2014 compared to 14 cases for the whole of 2013. The damage cost in Q1 2014 for these cases is already three times more than the entire damage cost in 2013. Similarly, our Trend Micro Security Roundup for Q1-2014 shows Japan placing second in the countries most affected by online banking malware, following the United States.

We have seen ZBOT variants like Citadel and Gameover targeting Japanese users in the past, but now we are seeing that a significant increase in the number of online banking Trojans is almost single-handedly due to a single malware family – the VAWTRAK family of online banking malware.

VAWTRAK was first spotted in August 2013 as an attachment to fake shipping notification emails. However, at the time, it was only engaged in the theft of information from FTP and email clients. Recently, however, VAWTRAK has expended to include the theft of banking credentials. As a result of this new behavior, we have seen a significant increase in the number of users affected by VAWTRAK.

We assume that several popular sites in Japan may have been compromised – either directly or via malicious advertisements. From these sites, they are led to malicious sites which contain the Angler Exploit Kit; in several cases the Angler Exploit Kit was identified as leading the users to various Flash and Java exploits. These exploits are then used to install VAWTRAK onto affected systems. Angler is one of the more popular replacements for the Blackhole Exploit Kit, which was shut down in 2013. Feedback from the Smart Protection Network indicates that the top countries affected by this threat are Japan (79.22%), United States (6.47%), and Germany (6.29%).

Figure 2. Top countries affected by VAWTRAK, May-June 2014

In terms of behavior, VAWTRAK is not particularly innovative. Its behavior is very similar to previous malware families. Its previous behavior of stealing FTP credentials is similar to FAREIT malware, while its banking theft routines is similar to the ZBOT family of banking malware. Both of these families are frequently distributed by spam messages via malicious attachments.

In addition to stealing your money, VAWTRAK also increases the risk of users being affected by other malware. It checks for the presence of a wide variety of security software (including Trend Micro products). If it finds any, it tries to downgrade the privileges of the security software, in an attempt to render these ineffective. Four major banks and five other credit card companies in Japan have been targeted by this malware.

According to senior threat researcher Matsuka Bakuei, the increase in banking malware targeting JP banks can be attributed to information stealing malware such as VAWTRACK and TSPY_AIBATOOK, that have added a functionality allowing it to steal banking credentials. Furthermore, traditional banking malware like ZeuS/Citadel is not the only malware which hit JP banks.

In the meantime, we advise that users disable or uninstall browser plug-ins (like Java, Adobe Flash, and Adobe Reader) if they are not needed. If they are needed, we strongly recommend that they be kept up to date, in order to minimize the risk from exploit kits that frequently use exploits for old vulnerabilities.